Added support for verifying GitHub secret token

1 files changed, 20 insertions, 2 deletions

diff --git a/gitautodeploy/parsers/github.py b/gitautodeploy/parsers/github.py
index d95a1de..82785c3 100644
--- a/gitautodeploy/parsers/github.py
+++ b/gitautodeploy/parsers/github.py
@@ -40,6 +40,24 @@ class GitHubRequestParser(WebhookRequestParser):
             logger.info("Action '%s' was fired" % action)
 
         # Get a list of configured repositories that matches the incoming web hook reqeust
-        repo_configs = self.get_matching_repo_configs(repo_urls)
+        items = self.get_matching_repo_configs(repo_urls)
 
-        return repo_configs, ref or "master", action, repo_urls
\ No newline at end of file
+        repo_configs = []
+        for repo_config in items:
+
+            # Validate secret token if present
+            if 'secret-token' in repo_config and 'x-hub-signature' in request_headers:
+                if not self.verify_signature(repo_config['secret-token'], request_body, request_headers['x-hub-signature']):
+                    logger.warning("Request signature does not match the 'secret-token' configured for repository %s." % repo_config['url'])
+                    continue
+
+            repo_configs.append(repo_config)
+
+        return repo_configs, ref or "master", action, repo_urls
+
+    def verify_signature(self, token, body, signature):
+        import hashlib
+        import hmac
+
+        result = "sha1=" + hmac.new(str(token), body, hashlib.sha1).hexdigest()
+        return result == signature